From owner-freebsd-questions@FreeBSD.ORG Thu Nov 27 01:36:35 2014 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 686FC8A2 for ; Thu, 27 Nov 2014 01:36:35 +0000 (UTC) Received: from eastrmfepo103.cox.net (eastrmfepo103.cox.net [68.230.241.215]) by mx1.freebsd.org (Postfix) with ESMTP id 160D4111 for ; Thu, 27 Nov 2014 01:36:34 +0000 (UTC) Received: from eastrmimpo209 ([68.230.241.224]) by eastrmfepo102.cox.net (InterMail vM.8.01.05.15 201-2260-151-145-20131218) with ESMTP id <20141127010221.JUAV12328.eastrmfepo102.cox.net@eastrmimpo209> for ; Wed, 26 Nov 2014 20:02:21 -0500 Received: from macbook.local.popelka.us ([72.205.45.227]) by eastrmimpo209 with cox id LR2M1p0084u5WUQ01R2M4W; Wed, 26 Nov 2014 20:02:21 -0500 X-CT-Class: Clean X-CT-Score: 0.00 X-CT-RefID: str=0001.0A020208.5476781D.01CD,ss=1,re=0.001,fgs=0 X-CT-Spam: 0 X-Authority-Analysis: v=2.0 cv=H/cFNZki c=1 sm=1 a=KPoI11KysOGbLPnGgDkkuA==:17 a=9m6O-4QWAOYA:10 a=IkcTkHD0fZMA:10 a=kviXuzpPAAAA:8 a=j4nzMFrpAAAA:8 a=SsCeNxViifPCjCMICokA:9 a=QEXdDO2ut3YA:10 a=KPoI11KysOGbLPnGgDkkuA==:117 X-CM-Score: 0.00 Authentication-Results: cox.net; auth=pass (PLAIN) smtp.auth=arickp@cox.net Message-ID: <5476781D.2060904@cox.net> Date: Wed, 26 Nov 2014 20:02:21 -0500 From: Eric Popelka User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 MIME-Version: 1.0 To: freebsd-questions@freebsd.org Subject: My ipfilter rules are overreaching... Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Nov 2014 01:36:35 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hello BSD friends, I've enabled ipfilter by adding the following to my /etc/rc.conf: ipfilter_enable="YES" # load ipfilter kernel module ipfilter_rules="/etc/ipf.rules" # my rules file ipmon_enable="YES" # try to keep out hax0rs ipmon_flags="-Ds" # run as a daemon, save using syslogd My rules file (/etc/ipf.rules) reads as follows (not verbatim, trying to just get to the facts): # No restrictions on loopback (lo0) pass in quick on lo0 all pass out quick on l0 all # Allow outbound traffic pass out quick on xn0 all keep state ### SNIP: 6 'pass in' rules to enable DHCP, NTP, ICMP ### # Allow in the whole subnet assigned to my cable modem # (hack, eventually want to just allow access to certain ports) pass in log first on xn0 from 72.205.44.0/23 to any # Keep out hax0rs block in log first quick on xn0 all Unfortunately, this is keeping me out from ssh'ing in to my server. I get the following message in /var/log/messages: ipmon: xn0 @0:8 b 72.205.45.###,40455 -> 104.128.###.###,22 PR tcp len 20 64 -S IN (### = actual numbers <= 255, obviously) I'm stumped. I triple-checked that the IP address from which I'm connecting is in the subnet that I specified in my 'pass in' rule. Am I not writing my rules in the correct order? Output from uname: FreeBSD 10.0-RELEASE #0 r260789: Thu Jan 16 22:34:59 UTC 2014 I ran 'pkg update' and 'pkg upgrade'. Thanks. - -- Eric Popelka arickp@cox.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJUdngdAAoJEBQPax3MeNrT5mgQANHp72lyQ1ty88p8rdyNeeV2 ye2jaYrkQVzfqLs0AAUVgpaHpX6GcWCqJElIt82rG/1jIZBIkAeWDaG5UpbT13Xf +V97OgTwZ24fk9i//mTQWakbuQ+Mkfg1P9ecJn3KBTq+HuI14P7g0+33Z1FtCnT6 I+ALNq65vwemat4qJ7IroiDaf3MQWO+7vBFL2ocp3qqB7M/WmPuImHo3z0rd4ihl q5XSD/QuIAGkX/xa1f35VZ7errA0o6RTXnOWJi/uheE1SClXhfXQvfXycw4sp0KL fjaO9mgk84yl9y407X2iWQWzJ8wTiWPkBUlEKdC1L0yCYPTQ0IVsuDSOXK2zATn1 RYlJWvSAes+Hgq2oVBr8ChUVLs6OQiktUNQKGqZxYA/5VQ95dFL2DNy0l2iteywx be5dvQaKN203XyFYujoV6Z49I56OzDXdpdXKRfUDzNhnf8jiBDUhLRCHyXUqMLv2 AZjuzktld3ePwtVaZnREOzDjSqdpejx4Vtgtr/3Ij94Y5LLPS73DYP4+e9l25Qp2 SWuSyZBQZ9DcWIA0UEU6v8tr5Sx02yfaBjWx4CXcK+svM5gk4ife9Cd4v4Pgmc8U uakqaikyYdQRwHQp7up2vkG5q5ozdAPCoL7Vn/07Tf1sgAyMQ+PU6cIzfqQFY+NJ g6wrE+wIQWPsu6XDzCwU =z21E -----END PGP SIGNATURE-----